From: Joseph Balsama <[EMAIL PROTECTED]>
jbalsama> I am new to this, so I may have misunderstood the docs that
jbalsama> come with openssl.
Well, basically, you're mixing apples and oranges...
jbalsama> BEGIN------------
jbalsama>
jbalsama> # openssl req -new -x509 -keyout newCA/private/cakey.pem -out \
jbalsama> newCA/cacert.pem -days 365
That was to create a self-signed certificate to use as a CA
certificate and key. So far so good.
jbalsama> # openssl req -new -nodes -x509 -keyout newreq.pem -out \
jbalsama> newreq.pem -days 365
[...]
jbalsama> # openssl x509 -x509toreq -in newreq.pem -signkey \
jbalsama> ./newCA/private/cakey.pem -out tmp.pem
I assume this was mean to be some convoluted way to create a request.
Unfortunately, with the first of the two, you'll get either a private
key or a certificate but not both into newreq.pem. Since the second
command works, I'll assume that you ended up with the certificate in
newreq.pem.
The second command shows that you haven't quite understood who should
sign the request, and since you lost the private key (since it got
overwritten by the certificate), you apparently felt you had no choice
but to use the CA key to sign the request. Unfortunately, that's the
wrong way to go. A request should be signed by the requestor, not by
the CA, for the simple reason that the certificate request contains
your public key, and must be signed with the corresponding private
key. The following is a simpler way to do what you wanted to do:
# openssl req -new -nodes -keyout newkey.pem -out newreq.pem -days 365
jbalsama> # openssl ca -cert ./newCA/cacert.pem -keyfile \
jbalsama> ./newCA/private/cakey.pem -policy policy_anything \
jbalsama> -out newcert.pem -infiles tmp.pem
Now, 'openssl ca' is smart enough to check that the signature on the
request corresponds to the public key (hey, that's what yo do with
public-key cryptography!) and find out that in your case, they didn't
match, since you had signed wth the wrong key. However, if you tried
the req command I gave you above, the following command should give
you the result you want:
# openssl ca -cert ./newCA/cacert.pem -keyfile ./newCA/private/cakey.pem \
-policy policy_anything -out newcert.pem -infiles newreq.pem
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
